MS15-068–SERIOUS Hyper- V Security Vulnerability

This is one of those rare occasions where I’m going to say: put aside everything you are doing, test this MS15-068 patch now, and deploy it as soon as possible.

The vulnerabilities could allow remote code execution in a host context if a specially crafted application is run by an authenticated and privileged user on a guest virtual machine hosted by Hyper-V. An attacker must have valid logon credentials for a guest virtual machine to exploit this vulnerability.

This security update is rated Critical for Windows Hyper-V on Windows Server 2008, Windows Server 2008 R2, Windows 8 and Windows Server 2012, and Windows 8.1 and Windows Server 2012 R2. For more information, see the Affected Software section.

The security update addresses the vulnerabilities by correcting how Hyper-V initializes system data structures in guest virtual machines.

I don’t know if this is definitely what we would call a “breakout attack” (I’m awaiting confirmation), one where a hacker in a compromised VM can reach out to the host, but it sure reads like it. This makes it the first one of these that I’ve heard of in the life of Hyper-V (since beta of W2008) – VMware fanboys, you’ve had a few of these so be quiet.


Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

It sounds like a reasonable organization found and privately disclosed this bug, thus allowing Microsoft to protect their customers before it became public knowledge. Google could learn something here.

So once again:

  1. Test the patch quickly
  2. Push it out to secure hosts and other VMs


Some digging by Flemming Riis (MVP) discover that credit goes to Thomas Garnier, Senior Security Software Development Engineer at Microsoft (a specialty in kernel, hypervisor, hardware, cloud and network security), and currently working on Azure OS (hence the Hyper-V interest, I guess). He is co-author of Sysinternals Sysmon with Mark Russinovich.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.